Write a comment

Identity Provider (IdP) is what you need with ShareFile and often used with Microsoft Active Directory Federation Service (ADFS) as IdP. ShareFile and XenMobile are seamlessly working together when using XenMobile as IdP. This would break the seamless integration with Windows Clients using ShareFile Outlook Plug-In, Desktop Sync etc. The solution is to use both IdP's at the same time and the reason calling it dual IdP. With ADFS 2.0 you cannot export the signing certificate with the private key and even if you could it would only be good for one year before ADFS automatically would roll over to a new certificate.

Citrix has a great document on how to setup the dualIdP with XenMobile and ADFS (Configure ADFS and XenMobile as a Dual IDP). I'm not boring you with writing the same thing here and maybe add some screenshots to it. I used the document myself and there are things that in my opinion should be added and one thing is just wrong. What you should do is read my comments on the document and then use it to setup your dualIdP.

Comments on the Document

  1. On page 3 you find: "PEM Encoding Algorithm - Drop down to DES".
    With DES and even set to 2048 Key size you will only get a 2036 Key size and that will fail later on with ADFS and therefore is just wrong. You must set the PEM Encoding Algorithm to DES3 and that will give you a 2048 Key size.

  2. On page 7 you find: "Run Powershell as Administrator on the ADFS server. Type: Get-ADFSProperties"
    This will not work without loading the Cmdlets for ADFS first. To load the Cmdlets use: "Add-PSSnapin Microsoft.Adfs.PowerShell"

  3. After you are done with the ADFS part and restarted the ADFS service it might not work! In the ADFS event log you might find the event 133 telling you that: "The private key for the certificate that was configured could not be accessed." This is obviously a permission issue to access the certificate with ADFS service account.
    Note the service account you are running the ADFS service under: like "Network Service" or a specific user account you used during the setup of ADFS. Then follow the steps: "Confirm that private keys for certificates are accessible by the AD FS 2.0 service user account" from the TechNet article Things to Check Before Troubleshooting AD FS 2.0 When done, restart the ADFS service.

  4. On the last page, you find Logout URL: Logout URL to ADFS, eg https://adfs.company.com/adfs/ls/?wa=wsignout1.0 (this will need to be added as a logout point on ADFS if not done so already).
    The little side note should be followed or you get error messages at logout. To do so you need to open the properties of the "Relying Party Trust" and then go to Endpoints. Here you add a new "SAML Logout" Endpoint.

 


Hope this helps to successfully setup your dualIdP with ADFS and XenMobile

 

Write comments...
or post as a guest
Loading comment... The comment will be refreshed after 00:00.

Be the first to comment.